TweetDeck vulnerability could have been much worse — The whole thing started with a <3 — Putter Panda release was calculated decision

Text Size

EXPERT: TWEETDECK HACK COULD HAVE BEEN MUCH WORSE — TweetDeck users worldwide are lucky that those who exploited a short-lived vulnerability in the Twitter application yesterday didn’t have more malevolent intentions, says Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology. “It could have been a lot of worse,” Hall told MC. “They could have found ways to steal stuff in the browser. I don’t know how many things you could do in Twitter with this, but you could tweet, you could retweet, you could change profile blurbs … you could have tweeted a malicious link.”

Twitter took down its TweetDeck application for about an hour yesterday as it fixed the cross-site scripting, or XSS, vulnerability that caused the app to execute JavaScript code in the content of tweets. It was exploited via pop-up windows in users’ TweetDecks that said things like, “Yo!” and through a much-circulated tweet of script that promulgated itself by instructing any account that registered the tweet in its timeline to retweet it. “These are the good ways to learn, when someone pokes a hole in your infrastructure and is kind of a menace or a graffiti artist rather than doing something really malicious,” Hall said. He also praised Twitter’s security team for quick action, saying the social network still overall has excellent security. More, from your morning host: http://politico.pro/1q5HTaw

AND THE WHOLE THING STARTED WITH A <3 — The vulnerability seems to have first appeared when a 19-year-old in Austria was playing with tweeting a heart symbol, inadvertently discovering way for attackers to inject commands through a tweet, CNN Money reported. “’It wasn't a hack. It was some sort of accident,’ he said. Firo tried it a few times, adding a heart to every message until he got it to create a pop-up on his own TweetDeck dashboard. He then announced triumphantly: ‘Vulnerability discovered in TweetDeck. \ o /’ Firo let Twitter know about the vulnerability as soon as he found it. But it was too late.” More: http://cnnmon.ie/1nxkknT

CANTOR NEWS STILL REVERBERATING — With news of his coming resignation as majority leader and stunning primary loss still dominating conversation inside the Beltway, cyber-watchers are concerned that cybersecurity progress may stall with Eric Cantor’s departure from GOP leadership. Cantor, who was defeated in a shocking upset Tuesday night, was one of the architects of the voluntary approach to private-sector cybersecurity that now enjoys bipartisan support in Washington.

Cantor “was one of the thought leaders in developing the cybersecurity policy we’re now following on a more or less bipartisan basis,” said Larry Clinton of the Internet Security Alliance. “Without his leadership, it may be difficult to push the legislation that will be required to implement the vision of a cybersecurity approach based on voluntary improvements [by the private sector] motivated by market incentives.” Agreed the Center for National Policy’s Matthew Rhoades: “Along with Speaker John Boehner, Eric Cantor was a key figure in shaping the overall approach the House of Representatives has taken [to this issue] over the past two Congresses. … His departure will be bad news for legislating writ large, and that includes on cybersecurity.”

HAPPY THURSDAY and welcome to Morning Cybersecurity, where your host thinks there are few things more satisfying than watching a summer storm roll in — as long as you’re warm and dry and safe indoors. As always, send your thoughts, tips, feedback and World Cup predictions to tkopan@politico.com and follow @talkopan, @POLITICOPro and @MorningCybersec. Full team info is below.

PUTTER PANDA RELEASE WAS CALCULATED DECISION — CrowdStrike’s decision this week to release a report publicly identifying another Chinese military hacking unit, which they called Putter Panda, was a calculated response to the way China reacted to recent indictments by the Justice Department of five of its PLA officers, said Steven Chabinsky, CrowdStrike’s general counsel and chief risk officer. “We want to keep the pressure on,” Chabinsky told MC yesterday. He said prior to its release, the company was watching for China’s response to the DOJ’s charges. “The U.S. was prepared to put up the highest level of proof,” in the form of presenting a case at trial, that the Chinese government was sponsoring economic espionage, Chabinsky said, and the response was “remarkable” and “disappointing” in that it was immediate, reactive and not open to dialogue.

“They might as well say, ‘We are doing this and there is nothing you can do about it,’”Chabinsky said, by immediately accusing the U.S. of lying and hypocrisy instead of saying they would look into the allegations. "If China wasn’t behind it, wouldn’t they be interested in reviewing the information to help bring the actual hackers to justice?” he added. The security company decided that it would release some of its research on China to back the government’s efforts to deter the threat and identify those responsible for cyber-intrusions. The Department of Justice and other governments were given a heads up before the report was released, Chabinsky said, and CrowdStrike received no objections.

WHEELER: INDUSTRY MUST TAKE THE LEAD ON CYBERSECURITY — FCC Chairman Tom Wheeler will challenge the communications industry this morning to be more transparent and accountable as it secures its networks, FCC sources tell our friends over at Morning Tech. The speech this morning, at an AEI event considering cybersecurity in the wake of the Edward Snowden disclosures, is the chairman's first major foray on the topic of cybersecurity. He'll say he'd rather the industry develop its own measurable solutions, rather than look to any FCC regulation. Others at the event: former NSA Directors Keith Alexander and Michael Hayden, FTC Commissioner Maureen Ohlhausen and Rep. Mike Rogers. The action kicks off at 11:15 a.m. Livestream: http://bit.ly/1oPuvp8

RICE: CYBER PART OF INTERNATIONAL COLLECTIVE ACTION —National Security Adviser Susan Rice cited cybersecurity and the need for global norms during a speech yesterday on the need to mobilize international coalitions against transnational security challenges. America is “working with our partners to expand international law enforcement cooperation and ensure that emerging norms, including the protection of intellectual property and civilian infrastructure, are respected in cyberspace,” Rice said in yesterday’s keynote address at a Center for a New American Security conference. As an example of partnership, she cited law enforcement agency cooperation in last week’s coordinated takedown by more than 10 countries of the Gameover Zeus botnet. Last month’s indictment of PLA hackers was to make “it clear there’s no room for government-sponsored theft in cyberspace for commercial gain,” she added.

LEAHY WANTS TO MARKUP USA FREEDOM IN’NEXT FEW WEEKS’ — Senate Judiciary Committee Chairman Patrick Leahy told our friends at Morning Tech that he's been huddling with some of the Republicans on his committee this week to find common ground on the USA FREEDOM Act, ahead of a markup he hopes to hold on the bill "in the next few weeks," he said off the Senate floor. A committee aide, however, said the chairman is still determining the best path forward for the bill, so don't circle any dates just yet. Leahy's promised to push for a stronger bill, after legislation in the House drew criticism from tech companies and privacy advocates last month. We're tracking.

TARGET KEEPS BOARD — “Target, in its first shareholders’ meeting since its data security breach, re-elected all 10 members of its board of directors [yesterday], even after an influential proxy adviser recommended last month that seven of them should get the boot,” Pro Tech’s Jody Serrano reports. “Board members were re-elected within the first 10 minutes of the meeting and without much fanfare. … At the meeting, Target interim Chairwoman Roxanne Austin said the company recognized that it was going through a rough patch but taking steps to improve. The entire meeting lasted a little more than 30 minutes.”

COMEY: CYBER ‘DOMINATES’ AT FBI — FBI Director James Comey told members of Congress yesterday that cybersecurity is a “vector” that touches everything the FBI is involved with. “We as Americans have connected our entire lives to the Internet,” he said in his opening at a House Judiciary hearing yesterday. “It’s where our children play, it’s where our healthcare information is, it’s where our finances are, it’s where our social lives are, our government secrets, our infrastructure — almost everything that matters is connected to the Internet, and soon our refrigerators will be, and our sneakers and the rest of our lives. Because of that, it’s where the people who would do us harm … come to do those bad things.” Comey also talked about the Justice Department’s Chinese military indictments, talking up information sharing and saying there are other states involved in cyberespionage. More, from your host: http://politico.pro/1hQ0pkO